10 Myths About PCI Compliance

This article is the first in a series

The myriad regulatory statutes and contractual obligations have caused community colleges to face increasingly complex requirements that govern how they protect cardholder data and other forms of confidential and sensitive information. Equally important is that key stakeholders such as students, parents, and alumni are demanding that campuses attest to their practices of securing sensitive data. Unfortunately, sometimes there is misleading advice or simply wrong information. The purpose of this article is to dispel common myths surrounding PCI compliance that can waste valuable time and resources or, more seriously, leave you vulnerable to a security breach.

PCI DSS was created to protect cardholder data. If your campus accepts credit card payments you must comply with the standard. It also means that all payment channels (whether face-to-face, mail, fax, or e-commerce) are within scope of PCI DSS. 

This myth reflects a misunderstanding of the risks involved. First, PCI compliance is not a "project" with a start and finish date. Rather, it is a process that requires ongoing commitment and resources. Second, compliance is a business issue (not merely a technology issue) that affects the entire college. The risks of a data compromise are both financial and reputational.

The major payment brands (American express, Discover, MasterCard, Visa, and JCB) formed the Payment Card Industry Security Standards Council (PCI SSC) as a private regulatory body to facilitate the development of a standard to act as a common set of minimum security requirements to be implemented by all merchants and service providers that handle sensitive credit card data. The payment brands themselves enforce the PCI DSS, regardless of size. If your campus stores, processes, or transmits any of the information recorded on a credit or debit card then you must abide by the PCI DSS or face significant fines, higher operating costs through increased compliance requirements, and potential suspension or expulsion from card processing networks. 

While merchants processing less than 20k transactions a year may not be required to seek compliance validation, the obligation for PCI compliance is still there, as are the consequences if the data you store or process is compromised.

Outsourcing your card processing to a third-party can simplify your compliance effort. It can be a great strategy with a good partner. However, outsourcing by itself is not enough to make you compliant. You receive and process cardholder data when you print daily transaction summaries, receive reports from your processor, or process chargebacks. You likely have stacks of paper receipts containing card numbers. You still have some compliance work to do. The good part is that outsourcing can make PCI compliance easier. Your compliance effort then can focus on policies and procedures.

PCI applies to every entity that stores, processes or transmits cardholder information, including retail point-of-sale services and mail/phone order. In fact anyone who takes card present transactions that involve POS devices is typically more at risk than e-commerce solutions. Quite often these types of transactions involve storage of track data (which is forbidden under PCI).

PCI is a prescriptive standard. This means it specifies both what is to be achieved and how it is to be done. As a result it is easy to be overwhelmed by the volume of PCI documents and supporting material. A closer look, though, will show that PCI contains nothing that is not a best practice already. Its elements are familiar to finance and IT professionals. Colleges practicing good security will find they already meet most PCI requirements.

Using a PA-DSS certified application is only one step. You must continue to implement all the other controls within the DSS that involve the management of the servers and networks that run the PA-DSS certified software. In other words, you have to install and maintain the application in a PCI-compliant manner.

The PCI DSS does not just apply to the storage of credit card data but also to the handling of data while it is processed or transmitted over networks, phone lines, faxes, etc. While not storing credit card data does eliminate some compliance requirements the majority of the controls required by the DSS remain in effect.

There are certain payment products that do transfer the burden of PCI compliance to the payment services provider, however they require that a customer be forwarded to the payment provider's servers to complete their order. If your website integrates with an API then you are still liable for PCI compliance since your servers capture and transmit the credit card data first.

ASV scans are only one part of PCI compliance. All merchants and service providers must also complete a self-assessment questionnaire (SAQ) that serves as a statement of compliance stating that your organization has implemented all of the relevant security controls described in the DSS. The SAQ is a mechanism for getting the information about the level of your compliance to your merchant bank or to the credit card companies. If a compromise took place and it was obvious that you were not, and have never been compliant, the matter would be taken very seriously by all the major payment brands.

PCI compliance is required of every campus and is something every business office must contend with and plan for, and it is not going away anytime soon. Understanding the intent of the Standard and what the Standard is not are equally important. 

This series will continue in the next issue with the key challenges the PCI DSS presents to the community college environment.